Skills
skills/tradingstrategy-ai/web3-ethereum-defi/find-new-curators/Gen Agent Trust Hub

find-new-curators

Fail

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The documentation file first-batch.md contains references to https://concretexyz.pro/ and https://termmax.org/. These URLs have been flagged by automated scanners as malicious, specifically associated with CryptScam activities and appearing on domain blacklists.
  • [COMMAND_EXECUTION]: The skill instructions frequently invoke local Python scripts and tests using poetry run python (e.g., .claude/skills/find-new-curators/scripts/print-existing-curators.py). This is standard for development-oriented skills from this author but relies on the execution of local code in the user's environment.
  • [DATA_EXFILTRATION]: The skill performs network operations to fetch metadata from external DeFi APIs, including blue-api.morpho.org/graphql and app.lagoon.finance/api/vault. While these are well-known industry services, they involve data ingestion from external network sources.
  • [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from vault names, symbols, and descriptions (indirect prompt injection surface). Maliciously crafted metadata in a vault could attempt to influence the agent's curator identification heuristics, though the current instructions include verification steps to mitigate this.
Recommendations
  • CRITICAL: 1 infected file(s) detected - DO NOT USE
  • AI detected serious security threats
  • Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
May 13, 2026, 02:45 AM